Bundled jar files have known vulnerabilities - Githubissues

Esri / geoportal-server

Geoportal Server is a standards-based, open source product that enables discovery and use of geospatial resources including data and services.

https://gptogc.esri.com/geoportal

Apache License 2.0

245 stars 149 forks source link

Bundled jar files have known vulnerabilities #250

Open willc opened 7 years ago

willc commented 7 years ago

Not sure if anyone looks at this, but multiple vulnerabilities due to outdated libraries turned up in some scans we did (dependency-check).

arcgis_ws_runtime.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7232 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1661 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4278

axis.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3596 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784

batik.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0250

commons-beanutils-1.8.0.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114

commons-collections-3.2.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6420

commons-fileupload-1.2.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3092 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248

commons-httpclient-3.1.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153

jopenid-1.07.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1652 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1651

standard-1.0.6.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0254

struts-core-1.3.10.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1182 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007

struts-tiles-1.3.10.jar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1182 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1181 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1007

mhogeweg commented 7 years ago

thanks! assigned to dev team.

willc commented 7 years ago

Curious about the progress on this.

mhogeweg commented 7 years ago

We have released Geoportal Server 1.2.9 where we have addressed many of these issues. In this release we no longer use Struts, but have switched to Tiles.